| Summary: | glib2.0 new security issue CVE-2020-6750 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, nicolas.salguero, olav, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | glib2.0-2.60.2-1.2.mga7.src.rpm | CVE: | CVE-2020-6750 |
| Status comment: | |||
|
Description
David Walser
2020-02-20 22:30:03 CET
David Walser
2020-02-20 22:30:25 CET
Whiteboard:
(none) =>
MGA7TOO
David Walser
2020-02-21 17:54:08 CET
Status comment:
(none) =>
Patch available from Fedora This pkg has no registered maintainer, so assigning globally; CC'ing some packagers who have done recent commits of it. CC:
(none) =>
olav, thierry.vignaud Fedora advisory for 2.60.x (which we have in Mageia 7) from February 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KJMLGW55HOQXHMTIPH2PWXFRBNBWVO4W/ This was fixed in 2.62.5 and 2.63.6 (now in Cauldron). Whiteboard:
MGA7TOO =>
(none) Suggested advisory: ======================== The updated packages fix a security vulnerability: GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. (CVE-2020-6750) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6750 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5RIFEDSRJ4P3WFCMDUOFQ2LEILZLMDW7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KJMLGW55HOQXHMTIPH2PWXFRBNBWVO4W/ ======================== Updated packages in core/updates_testing: ======================== glib2.0-common-2.60.2-1.3.mga7 lib(64)glib2.0_0-2.60.2-1.3.mga7 lib(64)gio2.0_0-2.60.2-1.3.mga7 lib(64)glib2.0-devel-2.60.2-1.3.mga7 lib(64)glib2.0-static-devel-2.60.2-1.3.mga7 glib-gettextize-2.60.2-1.3.mga7 from SRPMS: glib2.0-2.60.2-1.3.mga7.src.rpm Status:
NEW =>
ASSIGNED MGA7-64 Plasma on Lenovo B50 No installation issues. Ref. to bug 25276 for tests. This bug mentions to reboot after installation, so I did it as well, but MCC does not ask for it. Anyway, after reboot found no problems. played mpeg and odp files over NFS accessed shares over wifi. Installed also anki as in bug 25276, opens OK. CC:
(none) =>
herman.viaene The tester in Bug 25276 updated some glibc packages along with the glib2.0 packages. Glibc generated the need for the reboot. Validating. Advisory in Comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2020-03-06 16:07:06 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0118.html Resolution:
(none) =>
FIXED |